Administration Guide

Changing passwords

Your method of account management determines which steps are necessary to change passwords.

Changing passwords for a file collection system

If you use file collections rather than NIS, you must change the password in the master password file. Although this file might not be maintained on the control workstation, any changes to passwords must be made known to the control workstation.

Change password on host where master password file resides.
If the master password server is not the control workstation, copy the files /etc/passwd and /etc/security/passwd from the password server machine to the control workstation.
New password will be propagated throughout SP system within one hour.

Restricting use of the control workstation for general users

If you use file collections on your system, users must be able to log in to the node that is the password file server to change their passwords. If the control workstation is the password server you must allow users to log in to change their passwords. However, you might want to have only administrative tasks performed on the control workstation and do not want general users to be able to do anything other than change their passwords.

A restrict login script is provided so you can allow full login on the control workstation to the users you designate and restrict full login to all others. The script can be incorporated into the profile that runs during every login to the control workstation. Users not designated can log in only to change their passwords and then are logged out.

|The restrict login script does not keep anyone from using the |su command to switch the login session to that of another user |ID. If you are logged in on the control workstation and you switch to a |user ID that is restricted, you are prompted to change the password for that |ID. Your activity is then subject to the security credentials of that |user ID.

This script is located in the /usr/lpp/ssp/config/admin/cw_restrict_login file. To use this script, do the following:

Edit the /usr/lpp/ssp/config/admin/cw_allowed file.
The cw_allowed file defines to the cw_restrict_login script which user names are allowed to fully log in to the control workstation. The cw_allowed file is shipped containing three administrators' user names to show how the file is formatted. Remove these sample names from the file.
Start each user name in the left most column and place one user name per line. Place no comments in the file. You do not need to list the root user in the file; the script is written to allow the root user to fully log in to the control workstation.
Integrate the restricted login script into the control workstation login process by adding the following lines to the beginning (or at the most appropriate place) of the /etc/profile file on the control workstation:
```
# Allow general users to login to control workstation to only change
# their password then log them out.
/usr/lpp/ssp/config/admin/cw_restrict_login
```
If you are using the AIX Common Desktop Environment (CDE) on the control workstation, make a link from the restricted login script for CDE to the appropriate CDE directory:
```
ln -s /usr/lpp/ssp/config/admin/cde_cw_restrict_login \
/etc/dt/config/Xsession.d/cde_cw_restrict_login
```
Verify the file is set up correctly:
1. Log in to the control workstation as root and make sure you can fully log in.
2. Log in as a user that is allowed (listed in cw_allowed) to log in to the control workstation. Make sure this user can fully log in.
3. Log in as a user that is not allowed (not listed in cw_allowed) to fully log in to the control workstation. Make sure this user can change the password and then is logged out.

To remove this restrictive login, you can comment out (add a # at the beginning of the cw_restrict_login script execution line) or delete the lines you added in the /etc/profile file on the control workstation. If you are using CDE, also remove the cde_cw_restrict_login link in the /etc/dt/config/Xsession.d directory.

Changing passwords on systems without NIS or file collection

If neither NIS nor file collection is used, you must distribute these updated password files across the SP system after you change the password.

/etc/passwd
/etc/security/passwd

Changing passwords when SP user administration interface is configured

If you have configured the SP USER ADMINISTRATION INTERFACE to true and you are not using NIS, the following base AIX commands are linked to SP commands on the nodes:

/bin/chfn > /usr/lpp/ssp/config/sp_chfn
/bin/chsh > /usr/lpp/ssp/config/sp_chsh
/bin/passwd > /usr/lpp/ssp/config/sp_passwd

The original AIX files have been saved in their original location with extension .aix added. For example, the original AIX passwd command is in /bin/passwd.aix.

The linked sp_... commands inform users what machine to log in to when, or if, they need to change password, gecos, or shell information.

Important Notes
Under certain circumstances, the user is prompted to change passwords during the login process. If this occurs, the user should log in to the machine serving the password file and make the change from there. If this is not done, the password change will be only local to the node; in addition, if File Collections is being used, the password change will be only temporary. To avoid this problem, communicate to users what machine to log in to when a password change is required during the login process. IBM suggests placing this information in the message of the day (MOTD). If you de-install an AIX modification level after upgrading or rejecting an AIX PTF, the lppchk command will get run automatically. This command will show that the system is "broken" when it discovers the mismatch in file information for the AIX linked commands. This problem can be alleviated by following the proper procedure documented in the PSSP Installation and Migration Guide, section on Recovering from a Node Migration Failure, particularly steps 3 and 6.

Important Notes

Under certain circumstances, the user is prompted to change passwords during the login process. If this occurs, the user should log in to the machine serving the password file and make the change from there. If this is not done, the password change will be only local to the node; in addition, if File Collections is being used, the password change will be only temporary. To avoid this problem, communicate to users what machine to log in to when a password change is required during the login process. IBM suggests placing this information in the message of the day (MOTD).
If you de-install an AIX modification level after upgrading or rejecting an AIX PTF, the lppchk command will get run automatically. This command will show that the system is "broken" when it discovers the mismatch in file information for the AIX linked commands. This problem can be alleviated by following the proper procedure documented in the PSSP Installation and Migration Guide, section on Recovering from a Node Migration Failure, particularly steps 3 and 6.

[ Top of Page | Previous Page | Next Page | Table of Contents | Index ]